Special thanks to @Shinzu and @Pandora-Box for their posts.
I have WireGuard server running on a VPS in the USA, and 2 DDWRT routers, ASUS RT-AC68U and Netgear R7000 running as WireGuard clients on the latest Kong firmware (Sept 23/18). Many devices are using the VPN, including Chromecast, Roku, Google Home Mini, several MacOS machines, Samsung Tablets and Samsung Phones. The setup has been rock stable for several days now. The WG client routers are each on their own separate LAN subnet. My main router is also an R7000 running a recent Kong firmware, but minus the WG client software. I previously used Algo VPN client software, which was terrific and first introduced me to WireGuard last summer when TrailofBits included it in their Algo install scripts.
Server Setup
I run the minimum IPV4 instance available at Vultr. Its 20gb/1vcpu/512mb/500GB combo @ 3.50 per month is a winner. We're on 50mbit DSL about 150km from the server, we get no speed loss or packet loss whatsoever running through the WG server at such a close distance. There is zero speed/ping difference between the VPN connection and our regular ISP connection. I keep a WG base install (with all security settings in place) backup up as a snapshot, so destroying and redeploying a WG server instance is literally a 5 minute operation. At home, a couple of IP changes in the router NVRAM and everything is back up really quickly. I like that.
Just like @Pandora-Box, my WireGuard server setup was done by following the guide on the following site:
I've been running DDWRT for over a decade, and am partial to the Kong builds. I purchase my routers based on compatibility with his releases. After reading Shinzu's post about modding the Kong firmware via the commandline to run WireGuard, I went out and purchased two compatible routers on a Boxing Day sale. I didn't want to risk compromising my main R7000, as I knew this could be a challenging and time consuming venture before all was running to plan. Besides that, I wanted WireGuard on separate deeper subnets anyway, not directly facing the internet.
The fresh out-of-the-box Netgear R7000 was chosen first for the operating table. I saw the @liverpoolatnight post on https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=312522&postdays=0&postorder=asc&start=30 (Thanks!) and noticed the 'WireGuard' option in a pulldown menu portion of the graphic that he included in the post. I decided (like @Pandora-Box) that installing the BS firmware would allow me to grab the required WG files and nvram settings directly off the router before reinstalling DDWRT with a Kong build. I kept a list of steps as I went through the process. This list may seem redundant for experienced users, but I wrote is so as even a newcomer to DDWRT may find this useful.
Netgear R7000 Wireguard Client Installation
1. Install BrainSlayer r37860 first
2. Mount /JFFS to USB storage and share it via Samba
3. Moved all required files (as per Shinzu's post) to /JFFS and grab with MacOS
4. Copiy all oet1 settings from nvram to a text file in MacOS
5. Save all files in a secure location for later use
1. Use a small USB stick <= 8GB
2. Follow instructions at:
https://wiki.dd-wrt.com/wiki/index.php/How_to_-_Format_and_Partition_External_Storage_Device
(Make sure to include the JFFS partition on the USB)
3. Plug USB into R7000
4. Services/USB -
enable Core USB Support / enable USB Storage Support / enable Automatic Drive Mount
5. Disk Info - /opt and swap should now both be mounted
6. Administration/JFFS2 Support - enable Internal Flash Storage / enable Clean Internal Flash Storage
7. Reboot R7000
Required Software Installation
1. SSH into R7000
2. Install Entware -
cd /opt
wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh
sh generic.sh
3. Install Nano - opkg install nano
4. Install SFTP - opkg install openssh-sftp-server
5. Test SFTP - sftp root@192.168.1.1 (SSH Authorized Key must be properly configured)
Install Wireguard Binaries & Scripts
(Please note that all Supporting Code for scripts/firewall is at the end of this post)
1. Use SSH connected to ddwrt
cd /opt/etc
mkdir wireguard
cd /jffs/etc
mkdir config
mkdir wireguard
2. Use sftp connected to ddwrt as in (5) above (using binaries stored on local filesystem)
put <local binaries folder>/wg /opt/bin/wg
put <local binaries folder>/libmnl.so /opt/lib/libmnl.so
put <local binaries folder>/libmnl.so.0 /opt/lib/libmnl.so.0
put <local binaries folder>/libmnl.so.0.2.0 /opt/lib/libmnl.so.0.2.0
put <local binaries folder>/wireguard.ko /opt/etc/wireguard/wireguard.ko
put <local binaries folder>/eop-tunnel.firewall
put <local binaries folder>/eop-tunnel.startup /jffs/etc/config/eop-tunnel.startup
put <local binaries folder>/wireguard-init.sh /jffs/etc/wireguard/wireguard-init.sh
put <local binaries folder>/wireguard-nvram.sh /jffs/etc/wireguard/wireguard-nvram.sh
put <local binaries folder>/wireguard-firewall.txt /jffs/etc/wireguard/wireguard-firewall.txt
3. SSH into ddwrt and use Nano to edit eop-tunnel.startup
cd /jffs/etc/config
nano eop-tunnel.startup
Change line 27 that says 'insmod wireguard' to 'insmod /opt/etc/wireguard/wireguard.ko'
CTRL-X and Save file
4. SSH into ddwrt and use Nano to edit wireguard-nvram.sh
cd /jffs/etc/wireguard
nano wireguard-nvram.sh
Change all variables to match the current WireGuard configuration
CTRL-X and Save file
5. Copy the content of wireguard-firewall.txt to the clipboard
6. Paste the clipboard into the DDWRT GUI Administration Commands box and Save Firewall
7. Execute the nvram script in /jffs/etc/wireguard
sh wireguard-nvram.sh
reboot
8. Execute init and route fix scripts in /jffs/etc/wireguard
sh wireguard-init.sh
wg
(Cross fingers and verify that WireGuard is running and handshake with server has occurred)
Supporting Code for Scripts and Firewall
wireguard-init.sh
Code:
#!/bin/sh
echo "Configuring WireGuard tunnel..."
nvram set oet1_en="1"
sleep 2
/jffs/etc/config/eop-tunnel.startup
sleep 2
echo "Configuring Firewall..."
/jffs/etc/config/eop-tunnel.firewall
sleep 2
echo "Modifying Route tables..."
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
/sbin/route add -host $WGSERVER gw $WANGWY dev vlan2
/sbin/route del default
/sbin/route add default dev oet1
echo "Completed WireGuard Setup."
firewall.txt (paste this into DDWRT GUI Firewall)
Code:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT
iptables -I FORWARD -s 'nvram get lan_ipaddr'/16 -j ACCEPT
wireguard-nvram.sh
Code:
#!/bin/sh
echo "Write variables"
# number of tunnel my case only 1
nvram set oet_tunnels="1"
# if you want to use a preshared key set 1
nvram set oet1_usepsk0="0"
nvram set oet1_txq="1"
nvram set oet1_shaper="0"
nvram set oet1_rem0="*** SERVER PUBLIC IP GOES HERE ***"
nvram set oet1_rem="192.168.90.1"
# pub key of local endpoint
nvram set oet1_public="*** CLIENT PUBLICKEY GOES HERE ***"
nvram set oet1_pt="0"
# set here the pre shared key if you want to use one
nvram set oet1_psk0=""
# proto 2 is wireguard
nvram set oet1_proto="2"
# private key of local endpoint
nvram set oet1_private="*** CLIENT PRIVATEKEY GOES HERE ***"
# public port where wireguard tunnel is reachable
nvram set oet1_port="51821"
# number of peers
nvram set oet1_peers="1"
nvram set oet1_peerport0="51820"
nvram set oet1_peerkey0="*** SERVER PUBLICKEY GOES HERE ***"
# netmask of the wireguard network
nvram set oet1_netmask="255.255.255.0"
nvram set oet1_nat="1"
nvram set oet1_multicast="0"
nvram set oet1_mtu="1500"
nvram set oet1_mssfix="0"
nvram set oet1_local="0.0.0.0"
nvram set oet1_ka0="25"
nvram set oet1_isolation="0"
# ipaddress of the endpoint on the dd-wrt device
nvram set oet1_ipaddr="10.19.51.3 *** CHANGE THIS IP TO SUIT ***"
nvram set oet1_id="1"
nvram set oet1_hwaddr="00:00:00:00:00:00"
nvram set oet1_fragment="0"
nvram set oet1_endpoint0="1"
# for now leave the tunnel disabled
nvram set oet1_en="0"
nvram set oet1_dns_redirect="0"
nvram set oet1_dns_ipaddr="0.0.0.0"
nvram set oet1_comp="0"
# set bridge to 0 otherwise the iptables rules are not added
nvram set oet1_bridged="0"
# ipaddress of the peer
nvram set oet1_aip0="0.0.0.0/0"
# Commit variables
echo "Save variables to nvram"
nvram commit
This is the complete WG setup onto Kong DDWRT that worked for me. Hopefully others will find this information helpful. The WireGuard VPN has worked flawlessly for several days already connected through both routers, no additional software or settings on any client devices required. WG shows a ton of promise for DDWRT users running the hardware to support it.
etc, then you can add the following into the DD-WRT GUI
Go to administration > commands
Save Startup
Quote:
sleep 30
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
route add -host $WGSERVER gw $WANGWY dev vlan2
route del default
route add default dev oet1
I put in a 30 second sleep so the WAN interface has time to come up before the command executes
Save Firewall
Quote:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT
Reboot, then test http://zx2c4.com/ip to see if your routed to your VPS/VPN IP
also note the following
Quote:
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE
Thanks for your detailed explanation on how to get Wireguard running on DD-WRT.
Personally, for me, the wg interface handshakes correctly, traceroute also working perfectly, the only issue is that the Internet is routed through WAN IP Address instead of OET1, despite saving and implementing the required Firewall settings.
What seems to be the issue? How can I redirect all the Internet traffic to OET1 tunnel?
Thanks, eibgrad, for a very educational post. I am a complete novice when it comes to firewall rules and the ones that I used from this thread did have me scratching my head for the reasons that you have detailed.
One issue that I have been dealing with is although these settings "work" for my router when the internet is coming in through the ethernet WAN port, they do not work when I use an iPhone USB tether for internet access (iph0). I can connect to the internet when tethering, but not through the WireGuard tunnel. Your post has provided a direction for me to follow to try and sort this out.
Update -- I think the iPhone tether is not working because the startup script is running before the iPhone connection is established.
Last edited by audia3 on Mon Apr 01, 2019 13:02; edited 1 time in total
Joined: 22 Mar 2019 Posts: 27 Location: Gamma Quadrant
Posted: Mon Apr 01, 2019 5:46 Post subject:
@eibgrad This is interesting insight. I'll be honest though, I don't fully grasp all the details of the concepts you're describing because I am new to advanced networking. I will be educating myself more about iptables/firewall rules and NAT. But your logic about the port forwarding does make sense, as I have no interest in accessing my network remotely through the tunnel. Thus, that rule should not apply to setting up a Wireguard client. However, forwarding would apply for a Wireguard server setup, correct?
I went ahead and tested your rule and it worked just fine. The results were identical to the previous block of firewall rules suggested in liverpoolatnight's guide, for my purposes at least. So not only is this simpler, but cutting out any redundancy is always a plus. And of course, none of my comments are meant to throw liverpoolatnight under the bus and undermine his efforts. I love seeing the progress being made here and this community acts in the interest to help one another. It's not like you said "you dummy, THIS is the right way" or something.
With your logic in mind, I would like your input on the firewall rules that are suggested in the DD-WRT Wireguard wiki here. Are these rules also superfluous and/or redundant?
Looking forward to your findings when you setup Wireguard yourself.
Oh, and as a final note, you mentioned that Kong builds should have the Wireguard GUI available. I can't speak for other hardware, but when I downloaded the latest K3-AC-Arm build for my EA6900 (which was about 2 weeks ago), the Wireguard GUI was NOT present. It *might* be implemented via the command line, but I personally didn't check. I switched to a Brainslayer build specifically for the Wireguard GUI natively being available.
Brilliant instructions, liverpoolatnight! I finally have Wireguard working on my Asus RT-N66U! Thanks so much!
Hi Audia3, hope you're doing well. Could you please help me out in how you got the Wireguard client working? I did try liverpoolatnight's instructions above but still can't redirect all my Internet traffic to the Wireguard tunnel.
Can you please help out, possibly with screenshots of your Wireguard config? I'm using Brainslayer's build on my Netgear R7000.
Joined: 22 Mar 2019 Posts: 27 Location: Gamma Quadrant
Posted: Fri Apr 05, 2019 9:11 Post subject:
rainin wrote:
audia3 wrote:
Brilliant instructions, liverpoolatnight! I finally have Wireguard working on my Asus RT-N66U! Thanks so much!
Hi Audia3, hope you're doing well. Could you please help me out in how you got the Wireguard client working? I did try liverpoolatnight's instructions above but still can't redirect all my Internet traffic to the Wireguard tunnel.
Can you please help out, possibly with screenshots of your Wireguard config? I'm using Brainslayer's build on my Netgear R7000.
Posted: Thu Aug 15, 2019 0:59 Post subject: eop-tunnel.startup runtime error - wireguard.ko
Hi,
I tried following the steps here with my Netgear R7000 router running Kong's 39960M build.
When I tried to test/run the startup script referenced here:
eop-tunnel.startup
I am getting the following output:
>>>>>>>
rmmod: eoip: No such file or directory
Invalid instance identifier br0
ip: can't find device 'oet1'
Key is not the correct length or format: `remove'
insmod: cannot insert '/jffs/lib/modules/4.4.180/wireguard.ko': unknown symbol in module
ip: RTNETLINK answers: Not supported
Unable to modify interface: Protocol not supported
Unable to modify interface: Protocol not supported
ifconfig: ioctl 0x8913 failed: No such device
Key is not the correct length or format: `<pub'
ip: can't find device 'oet1'
>>>>>>>>>>
NOTE: I do not see the oet1 interface showing in ifconfig output.
not sure if that is the issue and I have tried several different wireguard.ko but they all return that same insmod error.
I also noted that the oet1 interface does come up when issuing the ifconfig command after selecting 'RFC 3378...." Protocol Type under Setup-->Tunnels in Admin. menu (there is no Wireguard dropdown in this build still).
etc, then you can add the following into the DD-WRT GUI
Go to administration > commands
Save Startup
Quote:
sleep 30
WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
WANGWY=$(/usr/sbin/nvram get wan_gateway)
route add -host $WGSERVER gw $WANGWY dev vlan2
route del default
route add default dev oet1
I put in a 30 second sleep so the WAN interface has time to come up before the command executes
Save Firewall
Quote:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE
iptables -I FORWARD -i br0 -o oet1 -j ACCEPT
iptables -I FORWARD -i oet1 -o br0 -j ACCEPT
Reboot, then test http://zx2c4.com/ip to see if your routed to your VPS/VPN IP
also note the following
Quote:
iptables -I FORWARD 1 --source 'nvram get oet1_ipaddr'/20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 'nvram get oet1_ipaddr'/20 -j MASQUERADE
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Mon Mar 23, 2020 11:31 Post subject:
Sure no problem, have a look at my signature (bottom of this post) for the Wireguard setup guide, in that thread also posts with scripts for policy based routing.